Until earlier today, Microsoft’s Skype video/voice/text messaging system had a security hole Vladimir Putin could ride a shark through. According to TheNextWeb, which broke the story, Russian hackers began discussing the hole on a forum two months ago, and have been using it ever since.
The trick required nothing more than accurately guessing which email address was associated with your Skype account; hacking the email itself was not necessary. Hackers then created a new account connected to that email, and then, with a simple password reset request, tricked Skype into thinking this “new” user was you, and gained control of your account. They could impersonate you, steal your contacts, lock you out, and even root through your conversation history and logs.
Once TNW alerted them to the issue, Microsoft temporarily disabled Skype password resets, neutralizing the exploit. The company has issued a fix for the password reset bug, along with the following statement:
“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”
Nevertheless, it’s a good idea to use an unguessable email to control your online accounts.
Image via Adam Thomas/Flickr